01-26-2023 11:39 AM
Hi.
On an ASA5525 within a vanilla configuration, because of default "0, 50, 100" security levels, and also because default is "sysopt connection permit-vpn",
Is there a general need to place any ACL on the outside interface?
Thank you.
Solved! Go to Solution.
01-26-2023 11:42 AM - edited 01-26-2023 11:42 AM
@MicJameson1 No. The outside interface would as default have a security level of 0, the inside interface with a security level of 100, traffic from lower security level (0) to higher (100) would, by default be denied. You only need an ACL inbound on the outside interface if you wish to selectively permit traffic.
"sysopt connection permit-vpn" is applicable to ignoring the interface ACL for encrypted traffic (L2L or RAVPN).
01-26-2023 11:42 AM - edited 01-26-2023 11:42 AM
@MicJameson1 No. The outside interface would as default have a security level of 0, the inside interface with a security level of 100, traffic from lower security level (0) to higher (100) would, by default be denied. You only need an ACL inbound on the outside interface if you wish to selectively permit traffic.
"sysopt connection permit-vpn" is applicable to ignoring the interface ACL for encrypted traffic (L2L or RAVPN).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide